Welcome!%20APNIC%20DNS%20Workshop - PowerPoint PPT Presentation

About This Presentation

Title:

Welcome!%20APNIC%20DNS%20Workshop

Description:

950 Charter Street, Redwood City CA, 94063. 204.152.187.11, 1-650-381-6003 ... apnic.net is in the apnic.net domain and in the net domain. Concept: Domains ... – PowerPoint PPT presentation

Number of Views:55

Avg rating:3.0/5.0

Slides: 55

Provided by: apnictr

Learn more at: https://nsrc.org

Category:

more less

Transcript and Presenter's Notes

Title: Welcome!%20APNIC%20DNS%20Workshop

1
Welcome!APNIC DNS Workshop

15-18 January 2004, Bangalore, India
In conjunction with the SANOG III and the South
Asian IPv6 Summit

2
Introduction

Presenters
Champika Wijayatunga ltchampika_at_apnic.netgt
Senior Training Specialist
Arth Paulite ltarth_at_apnic.netgt
Internet Resource Analyst
Srinivas Chendi ltsunny_at_apnic.netgt
Internet Resource Analyst
lttraining_at_apnic.netgt

3
Acknowledgements

Bill Manning
Olaf M. Kolkman
Ed Lewis
Joe Abley

4
Overview

15 Jan
9.30am - Start
DNS concepts I
TEA BREAK (10.30am - 11.00am)
DNS concepts II
BIND installation
LUNCH (1230pm 200pm)
Lab 1 BIND Installation
Recursive Server
TEA BREAK (300pm 330pm)
Lab 2 Recursive Server

5
Overview

16 Jan
9.30am - Start
Lab 3 Configuring Domains
TEA BREAK (10.30am - 11.00am)
DNS Registries
LUNCH (1230pm 200pm)
Troubleshooting I (dig, traceroutes, nslookup,
ethereal)
Reverse DNS
TEA BREAK (300pm 330pm)
Configuring the Reverse domain
Lab 4 Reverse DNS
IPv6 reverse DNS

6
Overview

17 Jan
9.30am - start
RNDC TSIG
TEA BREAK (10.30am - 11.00am)
Lab 5 - RNDC TSIG
LUNCH (1230pm 200pm)
DNSSEC Presentation
TEA BREAK (300pm 330pm)
Lab 6 - Troubleshooting

7
Overview

18 Jan
9.30am - start
Secured Dynamic Updates
TEA BREAK (10.30am - 11.00am)
Lab 7 Secured Dynamic Updates
LUNCH (1230pm 200pm)
Creating the whole DNS hierarchy
TEA BREAK (300pm 330pm)
Lab 8 - Creating the whole DNS hierarchy

8
Introduction to DNS

9
Purpose of naming

Addresses are used to locate objects
Names are easier to remember than numbers
You would like to get to the address or other
objects using a name
DNS provides a mapping from names to resources of
several types

10
Names and addresses in general

An address is how you get to an endpoint
Typically, hierarchical (for scaling)
950 Charter Street, Redwood City CA, 94063
204.152.187.11, 1-650-381-6003
A name is how an endpoint is referenced
Typically, no structurally significant hierarchy
David, Tokyo, itu.int

11
Naming History

1970s ARPANET
Host.txt maintained by the SRI-NIC
pulled from a single machine
Problems
traffic and load
Name collisions
Consistency
DNS created in 1983 by Paul Mockapetris (RFCs
1034 and 1035), modified, updated, and enhanced
by a myriad of subsequent RFCs

12
DNS

A lookup mechanism for translating objects into
other objects
A globally distributed, loosely coherent,
scalable, reliable, dynamic database
Comprised of three components
A name space
Servers making that name space available
Resolvers (clients) which query the servers about
the name space

13
DNS Features Global Distribution

Data is maintained locally, but retrievable
globally
No single computer has all DNS data
DNS lookups can be performed by any device
Remote DNS data is locally cachable to improve
performance

14
DNS Features Loose Coherency

The database is always internally consistent
Each version of a subset of the database (a zone)
has a serial number
The serial number is incremented on each database
change
Changes to the master copy of the database are
replicated according to timing set by the zone
administrator
Cached data expires according to timeout set by
zone administrator

15
DNS Features Scalability

No limit to the size of the database
One server has over 20,000,000 names
Not a particularly good idea
No limit to the number of queries
24,000 queries per second handled easily
Queries distributed among masters, slaves, and
caches

16
DNS Features Reliability

Data is replicated
Data from master is copied to multiple slaves
Clients can query
Master server
Any of the copies at slave servers
Clients will typically query local caches

17
DNS Features Dynamicity

Database can be updated dynamically
Add/delete/modify of any record
Modification of the master database triggers
replication
Only master can be dynamically updated
Creates a single point of failure

18
Concept DNS Names

The namespace needs to be made hierarchical to be
able to scale.
The idea is to name objects based on
location (within country, set of organizations,
set of companies, etc)
unit within that location (company within set of
company, etc)
object within unit (name of person in company)

19
Concept DNS Names contd.

How names appear in the DNS
Fully Qualified Domain Name (FQDN)
WWW.APNIC.NET.
labels separated by dots
DNS provides a mapping from FQDNs to resources of
several types
Names are used as a key when fetching data in the
DNS

20
Concept DNS Names contd.

Domain names can be mapped to a tree
New branches at the dots

Root DNS
dots
net
edu
com
isi
apnic
whois
www
ftp
whois
21
Concept Resource Records

The DNS maps names into data using Resource
Records.
More detail later

Resource Record
www.apnic.net. A 10.10.10.2
Address Resource
22
Concept Domains

Domains are namespaces
Everything below .com is in the com domain
Everything below apnic.net is in the apnic.net
domain and in the net domain

23
Concept Domains

com
net
edu

google
sun
apnic
tislabs
isi

moon

whois
www
www

ftp
ws1
ws2
24
Delegation

Administrators can create subdomains to group
hosts
According to geography, organizational
affiliation or any other criterion
An administrator of a domain can delegate
responsibility for managing a subdomain to
someone else
But this isnt required
The parent domain retains links to the delegated
subdomain
The parent domain remembers who it delegated
the subdomain to

25
Concept Zones and Delegations

Zones are administrative spaces
Zone administrators are responsible for portion
of a domains name space
Authority is delegated from a parent and to a
child

26
Concept Zones and Delegations

net domain
com
net
edu

google
apnic
tislabs
sun
isi

moon

whois
www
www
ftp

ws1
ws2
27
Concept Name Servers

Name servers answer DNS questions
Several types of name servers
Authoritative servers
master (primary)
slave (secondary)
(Caching) recursive servers
also caching forwarders
Mixture of functionality

28
Concept Name Servers contd.

Authoritative name server
Give authoritative answers for one or more zones
The master server normally loads the data from a
zone file
A slave server normally replicates the data from
the master via a zone transfer

29
Concept Name Servers contd.

Authoritative name server

slave
master
slave
30
Concept Name Servers contd.

Recursive server
Do the actual lookups ask questions to the DNS
on behalf of the clients
Answers are obtained from authoritative servers
but the answers forwarded to the clients are
marked as not authoritative
Answers are stored for future reference in the
cache

31
Concept Resolvers

Resolvers ask the questions to the DNS system on
behalf of the application
Normally implemented in a system library (e.g,
libc)

32
Concept Resolving process Cache

Question www.apnic.net A
root-server
www.apnic.net A ?
Ask net server _at_ X.gtld-servers.net ( glue)
www.apnic.net A ?
Caching forwarder (recursive)
Resolver
192.168.5.10
www.apnic.net A ?
gtld-server
Ask apnic server _at_ ns.apnic.net ( glue)
Add to cache
www.apnic.net A ?
192.168.5.10
apnic-server
33
Concept Resource Records

Resource records consist of its name, its TTL,
its class, its type and its RDATA
TTL is a timing parameter
IN class is widest used
There are multiple types of RR records
Everything behind the type identifier is called
rdata

www.apnic.net. 3600 IN A 10.10.10.2
ttl
Label
type
rdata
class
34
Example RRs in a zone file

apnic.net. 7200 IN SOA ns.apnic.net.
admin.apnic.net. (
2001061501 Serial
43200 Refresh 12 hours
14400 Retry 4 hours
345600 Expire 4 days
7200 Negative cache 2
hours )
apnic.net. 7200 IN NS ns.apnic.net.
apnic.net. 7200 IN NS ns.eu.net.
whois.apnic.net. 3600 IN A 193.0.1.162

host25.apnic.net. 2600 IN A 193.0.3.25
35
Resource Record SOA and NS

The SOA and NS records are used to provide
information about the DNS itself
The NS indicates where information about a given
zone can be found
The SOA record provides information about the
start of authority, i.e. the top of the zone,
also called the APEX

36
Resource Record SOA

net. 3600 IN SOA A.GTLD-SERVERS.net.
nstld.verisign-grs.com. ( 2002021301
serial 30M refresh 15M
retry 1W expiry 1D ) neg.answ.ttl
37
Concept TTL and other Timers

TTL is a timer used in caches
An indication for how long the data may be reused
Data that is expected to be stable can have
high TTLs
SOA timers are used for maintaining consistency
between primary and secondary servers

38
Places where DNS data lives

Changes do not propagate instantly

Slave
Might take up to refresh to get data from master
Not going to net if TTLgt0
Cache server
Master
Registry DB
Slave server
39
To remember...

Multiple authoritative servers to distribute load
and risk
Put your name servers apart from each other
Caches to reduce load to authoritative servers
and reduce response times
SOA timers and TTL need to be tuned to needs of
zone. Stable data higher numbers

40
What have we learned so far

We learned about the architectures of
resolvers,
caching forwarders,
authoritative servers,
timing parameters
We continue writing a zone file

41
Writing a zone file

Zone file is written by the zone administrator
Zone file is read by the master server and its
content is replicated to slave servers
What is in the zone file will end up in the
database
Because of timing issues it might take some time
before the data is actually visible at the client
side

42
First attempt

The header of the zone file
Start with a SOA record
Include authoritative name servers and, if
needed, glue
Add other information
Add other RRs
Delegate to other zones

43
The SOA record

apnic.net. 3600 IN SOA ns.apnic.net.
admin\.email.apnic.net. (
2002021301 serial
1h refresh
30M retry
1W expiry
3600 ) neg. answ. ttl
admin.email_at_apnic.net ? admin\.email.apnic.net
Serial number 32bit circular arithmetic
People often use date format
To be increased after editing
The timers above qualify as reasonable

44
Authoritative NS records and related A records

NS record for all the authoritative servers
They need to carry the zone at the moment you
publish
A records only for in-zone name servers
Delegating NS records might have glue associated

sanog.org. 3600 IN NS NS1.sanog.org. sanog.org.
3600 IN NS NS2.sanog.org. NS1.sanog.org. 3600
IN A 203.0.0.4 NS2.sanog.org. 3600 IN A
193.0.0.202
45
Other data in the zone

Add all the other data to your zone file
Some notes on notation
Note the fully qualified domain name including
trailing dot
Note TTL and CLASS

localhost.sanog.org. 3600 IN A
127.0.0.1 NS1.sanog.org. 4500 IN A
203.0.0.4 www.sanog.org. 3600 IN CNAME
IN.sanog.org. sanog.org. 3600 IN MX 50 mail.sanog.
org.
46
Zone file format short cutsnice formatting

sanog.org. 3600 IN SOA NS1.sanog.org.
admin\.email.sanog.org. ( 2002021301
serial 1h refresh 30M retry
1W expiry 3600 ) neg. answ.
Ttl sanog.org. 3600 IN NS NS1.sanog.org. sanog
.org. 3600 IN NS NS2.sanog.org. sanog.org.
3600 IN MX 50 mail.sanog.org. sanog.org.
3600 IN MX 150 mailhost2.sanog.org. sanog.org.
3600 IN TXT Demonstration and test
zone NS1.sanog.org. 4500 IN A
203.0.0.4 NS2.sanog.org. 3600 IN A
193.0.0.202 localhost.sanog.org. 3600 IN A
127.0.0.1 NS1.sanog.org. 3600 IN A
193.0.0.4 www.sanog.org. 3600 IN CNAME
IN.sanog.org.
47
Zone file short cuts repeating last name

sanog.org. 3600 IN SOA NS1.sanog.org.
admin\.email.sanog.org. ( 2002021301
serial 1h refresh 30M
retry 1W expiry 3600 ) neg. answ.
Ttl 3600 IN NS NS1.sanog.org.
3600 IN NS NS2.sanog.org. 3600 IN
MX 50 mail.sanog.org. 3600 IN MX 150
mailhost2.sanog.org. 3600 IN TXT
Demonstration and test zone NS1.sanog.org.
3600 IN A 203.0.0.4 NS2.sanog.org. 3600
IN A 193.0.0.202 localhost.sanog.org. 4500 IN
A 127.0.0.1 NS1.sanog.org. 3600 IN A
203.0.0.4 www.sanog.org. 3600 IN CNAME
IN.sanog.org.
48
Zone file short cuts default TTL

TTL 3600 Default TTL directive sanog.org. IN
SOA NS1.sanog.org. admin\.email.sanog.org. (
2002021301 serial 1h refresh
30M retry 1W expiry 3600 )
neg. answ. Ttl IN NS
NS1.sanog.org. IN NS
NS2.sanog.org. IN MX 50 mail.sanog.org. IN
MX 150 mailhost2.sanog.org. IN TXT
Demonstration and test zone NS1.sanog.org. IN
A 203.0.0.4 NS2.sanog.org. IN A
193.0.0.202 localhost.sanog.org. 4500 IN A
127.0.0.1 NS1.sanog.org. IN A
203.0.0.4 www.sanog.org. IN CNAME
NS1.sanog.org.
49
Zone file short cuts ORIGIN

TTL 3600 Default TTL directive ORIGIN
sanog.org. _at_ IN SOA NS1 admin\.email.sanog.org
. ( 2002021301 serial 1h
refresh 30M retry 1W expiry
3600 ) neg. answ. Ttl IN NS NS1
IN NS NS2 IN MX 50
mailhost IN MX 150 mailhost2 IN TXT
Demonstration and test zone NS1 IN A
203.0.0.4 NS2 IN A 193.0.0.202 localhost
4500 IN A 127.0.0.1 NS1 IN A
203.0.0.4 www IN CNAME NS1
50
Zone file short cuts Eliminate IN

TTL 3600 Default TTL directive ORIGIN
sanog.org. _at_ SOA NS1 admin\.email.sanog.org.
( 2002021301 serial 1h
refresh 30M retry 1W expiry
3600 ) neg. answ. Ttl NS NS1
NS NS2 MX 50 mailhost MX
150 mailhost2 TXT Demonstration and test
zone NS1 A 203.0.0.4 NS2 A
193.0.0.202 localhost 4500 A 127.0.0.1 NS1
A 203.0.0.4 www CNAME NS1
51
Delegating a zone (becoming a parent)

Delegate authority for a sub domain to another
party (splitting of whois.apnic.net from
apnic.net)

com
net
edu

google
sun
apnic
tislabs
isi

moon

whois
www
www

ftp
ns1
ns2
52
Concept Glue

Delegation is done by adding NS records
whois.apnic.net. NS ns1.whois.apnic.net.
whois.apnic.net. NS ns2.whois.apnic.net.
How to get to ns1 and ns2 We need the addresses
Add glue records to so that resolvers can reach
ns1 and ns2
ns1.whois.apnic.net. A 10.0.0.1
ns2.whois.apnic.net. A 10.0.0.2

53
Concept Glue contd.

Glue is non-authoritative data
Dont include glue for servers that are not in
sub zones

whois.apnic.net. NS ns1.whois.apnic.net. whois.a
pnic.net. NS ns2.apnic.net. whois.apnic.net.
NS ns1.apnic.net.
ns1.whois.apnic.net. A 10.0.0.1
54
Delegating whois.apnic.net. from apnic.net.